« Previous 1 2 3 4 Next »
Understanding Layer 2 switch port security
Safe Switch
Vulnerability
You may have noticed that this default MAC address learning process does not contain an authentication step. Any host connected to the switch can interrupt the MAC address table records by sending data frames, and the switch cannot verify the authenticity of the frame's source MAC address. In the following example, I introduce three common attacks that work by sending a data frame with a fake source MAC address. You can easily find tools on the Internet to launch this kind of attack. These tools are also available through Linux penetration testing distros, such as Kali Linux [1].
MAC Flooding Attack
Space is limited in the switch's MAC address table. The maximum number of records ranges from several thousand for entry-level models to hundreds of thousands for advance models. What happens if the MAC address table is full? Depending on the coding of the switch's operating system, three possible results are:
1. Old records are removed immediately to free up space for learning new MAC addresses.
2. The switch stops learning new MAC addresses until old records are flushed.
3. The system halts.
Hackers may hope to see results 1 and 2, because the resumption of broadcasts gives the intruder a chance to capture sensitive information.
You can check the maximum capacity of a switch's MAC address table by using the switch's operating system. For Cisco IOS, use the following command to check the MAC address table's available space:
SW#show mac address-table count Mac Entries for Vlan 1: --------------------------- Dynamic Address Count : 3 Static Address Count : 0 Total Mac Addresses : 3 Total Mac Address Space Available: 6021
In a MAC flooding attack, an attacker attempts to generate a large number of data frames with different MAC addresses (generated randomly) and send them to the switch (Figure 3). The switch learns every single frame's source address and stores the addresses in the MAC address table until it is full.
You can use macof
[2], which is preinstalled on Kali Linux, to implement the MAC flooding attack. Simply open the command console and type
macof -e [interface]
to start the attack. Listing 1 generates random MAC addresses and sends them out to the interface.
Listing 1
Generating random MAC addresses
root@kali:~# macof -e eth1 e3:8b:88:3:b4:cd d8:25:98:35:61:87 0.0.0.0.9537 > 0.0.0.0.18576: S 1905213613:1905213613(0) win 512 91:33:3b:3:a0:f5 d6:11:53:f:5e:c8 0.0.0.0.8066 > 0.0.0.0.49105: S 428779274:428779274(0) win 512 c4:27:40:74:3d:11 b9:a5:d3:1d:e:bf 0.0.0.0.8772 > 0.0.0.0.42343: S 1206065071:1206065071(0) win 512 9a:d7:d9:6a:fd:ee 9b:e8:7:15:e4:1d 0.0.0.0.44381 > 0.0.0.0.7072: S 352131538:352131538(0) win 512 42:33:77:69:9b:65 ef:3b:4c:19:e2:bd 0.0.0.0.24920 > 0.0.0.0.19837: S 1039619585:1039619585(0) win 512 a:60:b2:3d:fc:af d3:7c:5b:36:4a:61 0.0.0.0.17578 > 0.0.0.0.4432: S 727135709:727135709(0) win 512 18:75:26:4c:a8:23 10:81:2a:12:e1:be 0.0.0.0.42271 > 0.0.0.0.61161: S 1071867223:1071867223(0) win 512 98:15:eb:38:f3:c1 c8:d7:c1:61:be:a3 0.0.0.0.30693 > 0.0.0.0.57646: S 1759104040:1759104040(0) win 512 dc:6d:43:15:be:52 99:19:41:22:4e:36 0.0.0.0.29211 > 0.0.0.0.63665: S 481173385:481173385(0) win 512 42:d5:ac:47:75:fd 2:3c:f5:3a:29:b0 0.0.0.0.14787 > 0.0.0.0.57718: S 1888990933:1888990933(0) win 512 4d:ed:18:48:f0:f5 4b:ba:a5:66:ef:ee 0.0.0.0.54900 > 0.0.0.0.37268: S 397896255:397896255(0) win 512 <--Output Omitted-->
If you check the MAC address table count after a few seconds, you will find that all available spaces are filled by the fake records. As I mentioned before, MAC records will be deleted after 300 seconds. Consequently, the attacker may keep the program running by sending the fake MAC addresses to the network to ensure that all available switch spaces are filled up with the fake records:
SW#show mac address-table count Mac Entries for Vlan 1: --------------------------- Dynamic Address Count : 6024 Static Address Count : 0 Total Mac Addresses : 6024 Total Mac Address Space Available: 0
After all correct records are timed out and the table is full of fake records, the attacker can capture the network broadcast traffic with sniffing software using a tool such as Wireshark.
MAC Spoofing
In MAC spoofing, the attacker sends a frame with the same source address as another device on the network instead of sending a random MAC address. The attacker sends out the frames with spoofed source MAC addresses frequently, say more than 10 frames per second, to ensure always winning the MAC address table completion. All the frames that should be sent to the victim will then go to the attacker, because the network switches have the wrong records in their MAC address tables (Figure 4).
The Ettercap [3] utility, also available on Kali Linux, is often used to launch a MAC spoofing attack. First, you launch Ettercap (Figure 5). Next, select Sniff | Unified Sniffing to identify the attack interface (Figure 6), followed by Hosts | Scan to scan for hosts. Then, choose Hosts | Hosts to see all the hosts attached to the network. Finally, select Mitm | Port Stealing to start the attack (Figure 7).
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)